NOTE As explained in the Blaess et al. reference, the ?????“8??? is used to account
for the fact that the first 8 bytes of the buffer are used to save the addresses
to overwrite. Therefore, the first written value must be decreased by 8.
Using the Canary Value to Practice
Using Table 8-2 to construct the format string, let??™s try to overwrite the canary value
with the location of our shellcode.
CAUTION At this point, you must understand that the names of our
programs (getenv and fmtstr) need to be the same length. This is because
the program name is stored on the stack on startup, and therefore the two
programs will have different environments (and locations of the shellcode in
this case) if they are of different length names. If you named your programs something
different, you will need to play around and account for the difference or to simply rename
them to the same size for these examples to work.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
176
[addr+2][addr] [addr+2][addr] Notice second 16 bits go
first.
\x42\x94\x04\x08\
x40\x94\x04\x08
%.[HOB ??“ 8]x %.[LOB ??“ 8]x ???.??? Used to ensure integers.
Expressed in decimal. See
note after the table for
description of ?????“8???.
0xbfff??“8=49143 in
decimal, so:
%.
Pages:
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354